From f7dc984d60a93643492bd87f9fcce0e7c2042841 Mon Sep 17 00:00:00 2001 From: Thomas Lynch Date: Thu, 11 Jul 2024 21:09:24 +1000 Subject: [PATCH] Testing new ACLs for query string --- docker-compose.yml | 1 + haproxy/haproxy.cfg | 20 +++++++++++--------- haproxy/map/hosts.map | 1 + 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index f088049..6d9fed8 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -48,6 +48,7 @@ services: nginx: ports: - 81:80 + - 82:80 image: "nginx:latest" volumes: - ./nginx:/usr/share/nginx/html diff --git a/haproxy/haproxy.cfg b/haproxy/haproxy.cfg index c240950..d6a434d 100644 --- a/haproxy/haproxy.cfg +++ b/haproxy/haproxy.cfg @@ -69,13 +69,14 @@ frontend http-in # drop requests with invalid host header acl is_existing_vhost hdr(host),lower,map_str(/etc/haproxy/map/hosts.map) -m found + acl has_query query -m found + acl on_bot_check path /.basedflare/bot-check http-request silent-drop unless is_existing_vhost # debug information at /.basedflare/cgi/trace http-request return status 200 content-type "text/plain; charset=utf-8" lf-file /etc/haproxy/template/trace.txt if { path /.basedflare/cgi/trace } - http-request track-sc0 query table count_qs_throttle if { query -m found } - http-request redirect location http://%[hdr(host)]/%[table_cnt(count_qs_throttle)] code 302 if TRUE + http-request track-sc1 query table count_qs_throttle if has_query !on_bot_check # acl for blocked IPs/subnets/ASN/country http-request lua.set-lang-json @@ -91,7 +92,7 @@ frontend http-in http-request deny deny_status 403 if blocked_bool # ratelimit (and for tor, kill circuit) on POST bot-check. legitimate users shouldn't hit this. - # http-request track-sc0 src table bot_check_post_throttle if { path /.basedflare/bot-check } { method POST } + http-request track-sc0 src table bot_check_post_throttle if on_bot_check { method POST } # http-request lua.kill-tor-circuit if { sc_http_req_rate(0) gt 1 } # http-request tarpit if { sc_http_req_rate(0) gt 1 } @@ -106,6 +107,8 @@ frontend http-in acl ddos_mode_enabled_override str("true"),map(/etc/haproxy/map/ddos_global.map) -m found acl ddos_mode_enabled hdr(host),lower,map(/etc/haproxy/map/ddos.map) -m found acl ddos_mode_enabled base,map(/etc/haproxy/map/ddos.map) -m found + acl large_unique_query_count table_cnt(count_qs_throttle) -m int gt 1000 + acl ddos_mode_enabled_override acl(large_unique_query_count,has_query,!on_bot_check) # serve challenge page scripts directly from haproxy http-request return file /etc/haproxy/js/auto.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/auto.min.js } @@ -113,11 +116,6 @@ frontend http-in http-request return file /etc/haproxy/js/challenge.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/challenge.min.js } http-request return file /etc/haproxy/js/worker.min.js status 200 content-type "application/javascript; charset=utf-8" hdr "Cache-Control" "public, max-age=86400" if { path /.basedflare/js/worker.min.js } - # acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo) - acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found - #http-request lua.set-lang-json - http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "Cache-Control" "private, max-age=30" if maintenance_mode - # rewrite specific domain+path to domain or domain+path http-request redirect location https://%[base,map(/etc/haproxy/map/rewrite.map)] code 302 if { base,map(/etc/haproxy/map/rewrite.map) -i -m found } @@ -131,7 +129,6 @@ frontend http-in acl validate_pow var(txn.validate_pow) -m bool # check pow/captcha and show page if necessary - acl on_bot_check path /.basedflare/bot-check http-request use-service lua.bot-check if on_bot_check !is_excluded # challenge decisions, checking, and redirecting to /bot-check @@ -140,6 +137,11 @@ frontend http-in http-request lua.pow-check if !is_excluded !on_bot_check validate_pow OR !is_excluded !on_bot_check ddos_mode_enabled_override http-request redirect location /.basedflare/bot-check?%[capture.req.uri] code 302 if validate_captcha !captcha_passed !on_bot_check ddos_mode_enabled !is_excluded OR validate_pow !pow_passed !on_bot_check ddos_mode_enabled !is_excluded OR !pow_passed ddos_mode_enabled_override !on_bot_check !is_excluded + # acl for domains in maintenance mode to return maintenance page (after challenge page htp-request return rules, for the footerlogo) + acl maintenance_mode hdr(host),lower,map_str(/etc/haproxy/map/maintenance.map) -m found + #http-request lua.set-lang-json + #http-request return lf-file /etc/haproxy/template/maintenance.html status 200 content-type "text/html; charset=utf-8" hdr "Cache-Control" "private, max-age=30" if maintenance_mode + # X-Cache-Status header (may be sent in some non-cache responses because NOSRV can happen for other reasons, but should always be present in responses served by cache-use) http-response set-header X-Cache-Status HIT if !{ srv_id -m found } http-response set-header X-Cache-Status MISS if { srv_id -m found } diff --git a/haproxy/map/hosts.map b/haproxy/map/hosts.map index 6fb6e9f..08b926e 100644 --- a/haproxy/map/hosts.map +++ b/haproxy/map/hosts.map @@ -1 +1,2 @@ localhost.com 127.0.0.1:81 +localhost 127.0.0.1:82